Meet Fitbit Flex - Hack.luarchive.hack.lu/2015/fitbit-hacklu-slides.pdf · Meet Fitbit Flex I...
Transcript of Meet Fitbit Flex - Hack.luarchive.hack.lu/2015/fitbit-hacklu-slides.pdf · Meet Fitbit Flex I...
Meet Fitbit Flex
I Wireless activity wristband
I Track steps, distance, calories, activeminutes
I Display progress with 5 LEDs
I No altimeter, no GPS on Flex. Onlyon Charge or Surge.
Hack.lu 2015 - A. Apvrille 2/26
It’s also a “sleep wristband”
I slept well, thanks :)
Hack.lu 2015 - A. Apvrille 3/26
Opening the tracker
Thanks tomy husband, Ludovic :)
Hack.lu 2015 - A. Apvrille 4/26
Opening the tracker
Thanks to my husband, Ludovic :)
Hack.lu 2015 - A. Apvrille 4/26
Opening the tracker
Thanks to my husband, Ludovic :)
Hack.lu 2015 - A. Apvrille 4/26
Opening the tracker
Thanks to my husband, Ludovic :)
Hack.lu 2015 - A. Apvrille 4/26
Opening the tracker
Thanks to my husband, Ludovic :)
Hack.lu 2015 - A. Apvrille 4/26
Opening the tracker
Thanks to my husband, Ludovic :)
Hack.lu 2015 - A. Apvrille 4/26
Sleep stage: polysomnography (PSG)
Credits: NascarEd
Hack.lu 2015 - A. Apvrille 5/26
Tracking activity with an accelerometer
Acceleration on (x), (y) and (z) for walking and jogging
From Kwapisz, Weiss and Moore,“Activity Recognition using Cell Phone Accelerometers”,
SIGKDD 2011
Hack.lu 2015 - A. Apvrille 6/26
Tracking activity with an accelerometer
Acceleration on (x), (y) and (z) for sitting and standing
From Kwapisz, Weiss and Moore,“Activity Recognition using Cell Phone Accelerometers”,
SIGKDD 2011
Hack.lu 2015 - A. Apvrille 6/26
Spying with an accelerometer
From Ravi, Dandekar, Mysore and Littman,“Activity Recognition from Accelerometer Data”, IAAI’05
Hack.lu 2015 - A. Apvrille 7/26
Where fitness data goes to
Various reward programs
Sales forces, insurances,sponsors...
“Higi announced [..] the launching of itsindustry-leading, privacy-protected andsecure API” - Source: PR News“AchieveMint previously partnered withthe Brooklyn Nets basketball team toencourage users in Brooklyn and 75miles around it to earn special rewards,such as VIP tickets to the draft orsigned merchandise.” - Source:Mashable
Other Examples
Nest (thermostat) and Beam(toothbrushes) are sharing withinsurances
Hack.lu 2015 - A. Apvrille 8/26
Alternate usages to your tracker
What can you do with your (beloved) fitness tracker withoutsending anything to Fitbit (or other) servers?
Hack.lu 2015 - A. Apvrille 9/26
Four alternate geek usages
“This can of green pees?
I’m going to turn it into caviar!”
1. Impress young kids with magiciantalent
2. Impress a scientist with a RNG
3. Impress a hacker friend with a screensaver
4. Impress security researchers with ascary attack
Hack.lu 2015 - A. Apvrille 10/26
Geek no.1: Impress (very) young kids with magician talent
Proprietary!
No technical user/ developer/ contributor documentationEverything has to be reverse engineered
Display Code
c0 06 00 .. 00 02
I c0: control packet, for the tracker
I 06: command id - Display Code
I 02: useful length for packet
Hack.lu 2015 - A. Apvrille 11/26
Blinking LEDs
Endpoint 0x01
C0 06 00 ... 02
Hack.lu 2015 - A. Apvrille 12/26
Blinking LEDs
Endpoint 0x01 C0 06 00 ... 02
Hack.lu 2015 - A. Apvrille 12/26
Geek no.2 Impress a scientist with a RNG
We always lack sources of entropy, don’t we?Use authentication packets
Funny!
Flex supports authentication messages, but it’s a passthru
if ( !isencrypted ||
(TrackerAuthUtils.checkMac(...)) {
if (!isencrypted) {
MySystemLog.log("TrackerAuthCommand",
"Tracker is not encrypted,
we just assume it\’s authed");
}
...
Hack.lu 2015 - A. Apvrille 13/26
Flex authentication
Dongle Tracker(s)
Client ChallengeC0 50 LocalRandom
Auth Chal RespC0 51 TrackerChallenge SeqNum
Response to ChallengeC0 52 ComputedMAC ...
Implement a Flex-based RNG
I Send a dummy local random (C0 50)
I Wait for tracker’s response: 8-byte challenge
I Never send last message (C0 52)
Hack.lu 2015 - A. Apvrille 14/26
Is it (really) random???
Description Entropy Chi-square
Mean Monte-Carlo Pierror
Dieharderfailedtests
Target 8 10-90%
127.5 0% 0
Victor Hugo 4.6 0.01% 99 27% 2 weakLinux PRNG/dev/urandom
8 75% 127 0.57% 0
AES ciphertext 8 50% 128 0.50%Fitbit tracker 8 75% 127 0.36% 3 weakRadioactive de-cay events
41% 0.06%
Hack.lu 2015 - A. Apvrille 15/26
Tracker RNG: conclusion
I would not use it for crypto
It does not look notably worse than Linux’sstandard RNG
Hack.lu 2015 - A. Apvrille 16/26
Geek no.3 Impress a hacker friend with a screen saver
How to keep your laptop secure from curious eyes?
Screen lockI See Matias Katz, “Backdooring X11 with much class and no
privilege”
I Use the Fitbit USB dongle!
I Rely on udev
DEMO
Hack.lu 2015 - A. Apvrille 17/26
Better: lock with the tracker
Discover: MAC Addr, RSSI...
Lock the screen when you moveaway from your laptop
How?
Discovery responses:
1. the tracker’s ID - this is its Bluetooth MAC address
2. and the Received Signal Strength Indication
Hack.lu 2015 - A. Apvrille 18/26
Plotting RSSI
Close to dongle
Moved 3m
Moved 5mNext door
In my pocket
Hand aroundtracker
Hack.lu 2015 - A. Apvrille 19/26
Trackerlock demo
Trackerlock
$ python trackerlock.py --delay 1 --movement 15
Getting list of available trackers...
1- TrackerId: 09 73 78 63 f7 f3 AddrType: 1
RSSI: 190 Attr: 02 07 SUUID: 00 fb
Select tracker’s num: 1
Tracker has moved away!!! (RSSI=186)
Demo
Hack.lu 2015 - A. Apvrille 20/26
Geeky no.4: Scare a Security Researcher
For Good .. or for Bad
Good: Digital Tatoo
I LOVE YOU !
Tatoo
XX ......I LOVE YOU !
Tatoo response
Hack.lu 2015 - A. Apvrille 21/26
Geeky no.4: Scare a Security Researcher
For Good .. or for Bad
Good: Digital Tatoo
I LOVE YOU !
Tatoo
XX ......I LOVE YOU !
Tatoo response
Hack.lu 2015 - A. Apvrille 21/26
Geeky no.4: Scare a Security Researcher
For Good .. or for Bad
Good: Digital Tatoo
I LOVE YOU !
Tatoo
XX ...
...I LOVE YOU !
Tatoo response
Hack.lu 2015 - A. Apvrille 21/26
Geeky no.4: Scare a Security Researcher
For Good .. or for Bad
Good: Digital Tatoo
I LOVE YOU !
Tatoo
XX ...
...I LOVE YOU !
Tatoo response
Hack.lu 2015 - A. Apvrille 21/26
Danger: What if Tatoo is Malicious Code?
Attacker
INJECTED MALICIOUS CODE
Trackeris infected
Victim’s laptop
DISCOVERY
MALICIOUS CODE
Deliver malicious payload: crash, propagate...
Hack.lu 2015 - A. Apvrille 22/26
Danger: What if Tatoo is Malicious Code?
Attacker
INJECTED MALICIOUS CODE
Trackeris infected
Victim’s laptop
DISCOVERY
MALICIOUS CODE
Deliver malicious payload: crash, propagate...
Hack.lu 2015 - A. Apvrille 22/26
Danger: What if Tatoo is Malicious Code?
Attacker
INJECTED MALICIOUS CODE
Trackeris infected
Victim’s laptopDISCOVERY
MALICIOUS CODE
Deliver malicious payload: crash, propagate...
Hack.lu 2015 - A. Apvrille 22/26
Danger: What if Tatoo is Malicious Code?
Attacker
INJECTED MALICIOUS CODE
Trackeris infected
Victim’s laptopDISCOVERY
MALICIOUS CODE
Deliver malicious payload: crash, propagate...
Hack.lu 2015 - A. Apvrille 22/26
Danger: What if Tatoo is Malicious Code?
Attacker
INJECTED MALICIOUS CODE
Trackeris infected
Victim’s laptopDISCOVERY
MALICIOUS CODE
Deliver malicious payload: crash, propagate...
Hack.lu 2015 - A. Apvrille 22/26
Video
Hack.lu 2015 - A. Apvrille 23/26
Digital Tatoo / Infection: Limitations
1. Max 17 bytes. Is that enough?Yes: Crash Pentium Trojan(2004): 4 bytes
2. Execute/Deliver code on target:we did not handle this!
3. Fitbit patches
Hack.lu 2015 - A. Apvrille 24/26
Digital Tatoo / Infection: Limitations
1. Max 17 bytes. Is that enough?Yes: Crash Pentium Trojan(2004): 4 bytes
2. Execute/Deliver code on target:we did not handle this!
3. Fitbit patches
Hack.lu 2015 - A. Apvrille 24/26
Digital Tatoo / Infection: Limitations
1. Max 17 bytes. Is that enough?Yes: Crash Pentium Trojan(2004): 4 bytes
2. Execute/Deliver code on target:we did not handle this!
3. Fitbit patches
Hack.lu 2015 - A. Apvrille 24/26
Interesting links
I Galileo - https://bitbucket.org/benallard/galileo
I Rahman et al. Fit and Vulnerable: Attacks and Defenses for aHealth Monitoring Device, CoRR, 2013.
I Fitbit Flex Teardown.http://ifixit.org/blog/5042/fitbit-flex-teardown/
I Matias Katz - Backdooring X11 with much class and noprivileges, Hack in Paris 2015
I My my Fitbit tools repository on GitHub
I My presentation at Hack in Paris 2015
I My own humoristic drawings Pico le croco
I Link to satisfaction form: http://bit.ly/1KUkjaB
Hack.lu 2015 - A. Apvrille 25/26
Thanks for your attention!
Contact info
@cryptax or aapvrille (at) fortinet (dot) com
http://bit.ly/1KUkjaB
Thanks toLudovic Apvrille, Aurelien Francillon and Matias Katz
Hack.lu 2015 - A. Apvrille 26/26